Eurostar resets customers’ passwords after accounts breached

If you’re one of the millions of people who travels under the English Channel each year, then there’s a good chance you may have to change your password for the Eurostar.com website.

Eurostar has explained in an email to affected customers that it is resetting all users’ passwords after automated attempts were made to access accounts between 15-19 October.

Part of the email reads as follows:

You may have noticed that you’re being asked to reset your password when you try to log in to eurostar.com. We’ve taken this action as a precaution because we identified what we believe to be an unauthorised automated attempt to access eurostar.com accounts using your email address and password.

We‘ve since carried out an investigation which shows that your account was logged into between the 15 and 19 October. If you didn‘t log in during this period, there’s a possibility your account was accessed by this unauthorised attempt.

Please be reassured that your credit card or payment details haven’t been compromised as we never store such information on eurostar.com accounts.

We‘d recommend that you reset your Eurostar password and check for anything unusual on your account. We‘d also recommend updating your login details on other websites where you use the same password.

Unfortunately, Eurostar has not been forthcoming about just how many people were affected by the attack, and what data may have been accessed from customers’ accounts.

What also isn’t clear is how the attackers were able to access users’ passwords in the first place in order to attempt to log into their accounts.

Eurostar makes no mention of a customer database falling into the wrong hands, so one possible theory is that the passwords used to access accounts may have been originally taken from a breach of a different online service. If that’s the case then whoever is behind the breaches of Eurostar accounts has been taking advantage of the fact that so many people continue to reuse the same passwords on multiple websites.

Regardless of how the hacker was able to break into some customers’ accounts there’s a very simple message: All change please!

Make sure you never use the same password at different websites. Use a password manager to generate strong, hard-to-crack, unique passwords and then let it remember them for you (because your puny human brain will never be able to cope).

Where possible (as far as I can tell it isn’t possible on Eurostar’s website) enable two factor authentication to provide a higher level of security for your online accounts.

The UK’s Information Commissioner’s Office (ICO) has been informed about the incident.

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.